firezone/docker-compose.yml

version: '3.7'

services:
  keycloak:
    image: quay.io/keycloak/keycloak:20.0
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
    volumes:
      # Persist dev data
      - ./tmp/keycloak:/opt/keycloak/data
    command: start-dev
    ports:
      - 8080:8080
    networks:
      - app

  caddy:
    image: caddy:2
    volumes:
      - ./.devcontainer/Caddyfile:/etc/caddy/Caddyfile
      - ./.devcontainer/pki:/data/caddy/pki
    ports:
      - 80:80
      - 443:443
    networks:
      app:
        ipv4_address: 172.28.0.99
        ipv6_address: 2001:3990:3990::99

  firezone:
    build:
      context: .
      dockerfile: Dockerfile.dev
      args:
        DATABASE_URL: postgresql://postgres:postgres@postgres:5432/firezone_dev
    image: firezone_dev
    volumes:
      - ./priv:/var/app/priv
      - ./apps:/var/app/apps
      - ./config:/var/app/config
      - ./mix.exs:/var/app/mix.exs
      - ./mix.lock:/var/app/mix.lock
      # Mask the following build directories to keep compiled binaries isolated
      # from the local project. This is needed when the Docker Host platform
      # doesn't match the platform under which Docker Engine is running. e.g.
      # WSL, Docker for Mac, etc.
      - /var/app/apps/fz_http/assets/node_modules
    ports:
      - 51820:51820/udp
    environment:
      LOCAL_AUTH_ENABLED: 'true'
      FZ_WALL_CLI_MODULE: FzWall.CLI.Live
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    depends_on:
      postgres:
        condition: 'service_healthy'
    networks:
      - app
      - isolation

  postgres:
    image: postgres:15
    volumes:
      - postgres-data:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_DB: firezone_dev
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    ports:
      - 5432:5432
    networks:
      - app


  # Vault can act as an OIDC IdP as well
  vault:
    image: vault
    environment:
      - VAULT_ADDR=0.0.0.0:8200
    ports:
      - 8200:8200/tcp
    cap_add:
      - IPC_LOCK
    networks:
      - app

  # Only available for amd64 architectures
  # zitadel:
  #   networks:
  #     - app
  #   image: ghcr.io/zitadel/zitadel:stable
  #   command: start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
  #   environment:
  #     - ZITADEL_DATABASE_COCKROACH_HOST=crdb
  #     - ZITADEL_EXTERNALSECURE=false
  #   depends_on:
  #     crdb:
  #       condition: 'service_healthy'
  #   ports:
  #     - 8081:8080
  # crdb:
  #   image: cockroachdb/cockroach:v22.1.3
  #   command: start-single-node --insecure
  #   healthcheck:
  #     test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
  #     interval: '10s'
  #     timeout: '30s'
  #     retries: 5
  #     start_period: '20s'
  #   ports:
  #     - 9090:8080
  #     - 26257:26257
  #   networks:
  #     - app

  # The following services represent more self-hosted IdPs.
  # These are much lesser-known and not as trivial to get working
  # as KeyCloak, so leaving them here for someone to possibly play
  # with later.
  # authentik:
  #   image: ghcr.io/goauthentik/server:2022.10.1
  #   command: server
  #   depends_on:
  #     redis:
  #       condition: 'service_healthy'
  #   environment:
  #     AUTHENTIK_SECRET_KEY: NQgSe9lPF+rYlQY+aOpR6Wbi2PMPXxsunw5CX1wuqv9vB+nW
  #     AUTHENTIK_REDIS__HOST: redis
  #     AUTHENTIK_POSTGRESQL__HOST: postgres
  #     AUTHENTIK_POSTGRESQL__USER: postgres
  #     AUTHENTIK_POSTGRESQL__NAME: authentik
  #     AUTHENTIK_POSTGRESQL__PASSWORD: postgres
  #     AUTHENTIK_ERROR_REPORTING__ENABLED: true
  #   volumes:
  #     - ./tmp/authentik/media:/media
  #     - ./tmp/authentik/custom-templates:/templates
  #   ports:
  #     - 9000:9000
  #     - 9443:9443
  #
  # authentik-worker:
  #   depends_on:
  #     redis:
  #       condition: 'service_healthy'
  #   image: ghcr.io/goauthentik/server:2022.10.1
  #   command: worker
  #   environment:
  #     AUTHENTIK_SECRET_KEY: NQgSe9lPF+rYlQY+aOpR6Wbi2PMPXxsunw5CX1wuqv9vB+nW
  #     AUTHENTIK_REDIS__HOST: redis
  #     AUTHENTIK_POSTGRESQL__HOST: postgres
  #     AUTHENTIK_POSTGRESQL__USER: postgres
  #     AUTHENTIK_POSTGRESQL__NAME: authentik
  #     AUTHENTIK_POSTGRESQL__PASSWORD: postgres
  #     AUTHENTIK_ERROR_REPORTING__ENABLED: true
  #   volumes:
  #     - ./tmp/authentik/media:/media
  #     - ./tmp/authentik/certs:/certs
  #     - ./tmp/authentik/custom-templates:/templates
  #
  # redis:
  #   image: docker.io/library/redis:alpine
  #   command: --save 60 1 --loglevel warning
  #   restart: unless-stopped
  #   healthcheck:
  #     test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
  #     start_period: 20s
  #     interval: 30s
  #     retries: 5
  #     timeout: 3s
  #   volumes:
  #     - redis-data:/data
  #
  #

  # Unfortunately the Linux VM kernel for Docker Desktop is not compiled with
  # Dynamic Debug enabled, so we're unable to enable WireGuard debug logging.
  # Since WireGuard is designed to be silent by default, this basically does
  # nothing.
  # wireguard-log:
  #   image: ubuntu:jammy
  #   # cap SYSLOG was enough for reading but privilege is required for tailing
  #   privileged: true
  #   command: >
  #     bash -c '
  #     mount -t debugfs none /sys/kernel/debug
  #     && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
  #     && dmesg -wT | grep wireguard:'

  client:
    depends_on:
      - firezone
    image: linuxserver/wireguard:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
      - ALLOWEDIPS="0.0.0.0/0,::/0"
    volumes:
      - ./.devcontainer/wg0.client.conf:/config/wg0.conf
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      - isolation

volumes:
  postgres-data:
  # Disabled due to Authentik being disabled
  # redis-data:

networks:
  app:
    enable_ipv6: true
    ipam:
      config:
        - subnet: 172.28.0.0/16
        - subnet: 2001:3990:3990::/64
  isolation: